6 lsi safestore encryption services, 1 enabling drive security using ekm, Section 11.6, lsi safestore – Avago Technologies MegaRAID Fast Path Software User Manual

Page 452

LSI Corporation Confidential

|

July 2011

MegaRAID SAS Software User Guide

Chapter 11: Using MegaRAID Advanced Software

|

LSI SafeStore Encryption Services

— IO Policy: Direct IO

— Read Policy: No Read Ahead

— Dish Cache Policy: Enabled

— Strip Size: 64KB

4. Click OK.

A confirmation dialog displays.

5. Select the Confirm check box, and click Yes to confirm that you want to set the

virtual drive properties.

11.6

LSI SafeStore Encryption

Services

LSI SafeStore Encryption Services offer the ability to encrypt data on the drives and use
the drive-based key management to provide data security. This solution provides data
protection in the event of theft or loss of physical drives. If you remove a
self-encrypting drive from its storage system or the server in which it resides, the data
on that drive is encrypted, and becomes useless to anyone who attempts to access it
without the appropriate security authorization.

This section describes how to enable, change, and disable the drive security, and how
to import a foreign configuration using the SafeStore Encryption Services advanced
software.

The SafeStore Encryption Services advanced software provides drive security to create
secure virtual drives by using External Key Management (EKM) and Local Key
Management (LKM).

11.6.1

Enabling Drive Security using

EKM

EKM is used for key management when large number of systems are deployed. You can
automate and manage the life cycle of keys and unlock configurations using EKM.

Another important feature of EKM is that you can use it without human intervention to
perform operations like drive migration and controller replacement.

MegaRAID accomplishes the task of obtaining keys by interacting with the EKM agent.
The EKM agent talks to the EKM server (EKMS) through a network and gets the security
key for the controller.

Keys are retrieved or created to perform the following tasks:



Create secure Virtual drives.



Insert drives to replace failed drives in a secure configuration.



Re-key the system based on EKMS policies or user request.



Gain access to a secured configuration during boot.



Unlock and import secured drives during migration.

Perform the following configurations to enable the drive security to create secure
virtual drive using the EKM mode with the support of EKM servers.



EKM mode is supported by MegaRAID Storage Manager, and EKMS is present.



EKM mode is supported by MegaRAID Storage Manager, and EKMS is not present.



Change the current security settings, or switch between the modes.



Change the security settings when the user is in EKM, and wants to switch to LKM.



Import Foreign Drives.